Industry, not government, must lead in sharing cyber threats, expert says

Jason Healey, Atlantic Council

The government needs to get out of the way of the private sector sharing cyber
threat information. So says Jason Healey, the director of the Cyber Statecraft
Initiative for the Atlantic Council.

Instead of all of these small scale efforts, Healy said industries from
telecommunications to finance to energy need to lead the efforts. The government,
meanwhile, should provide incentives such as funding to promote cyber threat and
vulnerability sharing within and among sectors.

"I'm not convinced if they are doing what they ought to, the government is going
to be the right answer, especially this month of all months to say the government
is going to come in and save us is, I think, the folly as the shutdown has showed
us that the government is going to be able to do this," he said. "I'd find the
parts that are working and help them do better. A lot of these groups that are
making the biggest difference, it's people doing this as a side job, and just like
we saved the financial services information sharing and analysis center (FSISAC)
with a $2 million grant, a lot of these groups with a $100,000 or $500,000 could
really start improving a lot of security and start to clamp down on these attacks
without having to argue about authorities or having to argue about Title 10 or
Title 50 or any of the other things that ties D.C. up in knots."

Healey, who worked in the White House, for the Air Force and with Goldman Sachs,
said when he was part of the financial services ISAC in the early 2000s, the
Treasury Department gave them a $2 million grant to improve the cybersecurity of
banks across the country. He said that little bit of money made a huge
difference for large institutions and small alike — 13,000 in all.

"It's the companies that are in the front lines and the best sharing and the best
sharing tends to happen between companies in the same sector, and to a large
degree you don't have to have the government get involved in that," he said. "The
ISACs do a pretty good job sharing among each other."

He said the traditional
mindset of the industry telling the government about its problems and the
government coming back with an answer is not working. He said it's one of the
reasons why cyber problems of today are the same as those of yesterday.

"We realized that in Washington, D.C. and when you travel the world talking about
cybersecurity, we are really ignorant about anything that happened more than two
or three years ago," he said. "There's this feeling that it's all new because most
of us only got into the field in the last couple of years. We went all the way
back to early cyber conflicts of 1986, and if you look at what they went through,
it would feel familiar to us today."

The book focuses on eight cyber conflicts since 1986, including some well-known
ones such as Buckshot Yankee, a 2008 attack that gained access through a USB flash
drive and led the creation of the U.S. Cyber Command, and other lesser known ones
such as 1986's Cuckoo's Egg, in which the KGB paid German hackers to steal
information from the United States on the Star Wars program.

Healey said his goal is to help cyber defenses stay ahead of and be better than
cyber offenses. He said throughout history, defense usually has been better than
offense during military conflicts, and every
time the offense adjusted to gain the upper hand, the defense responded in kind.

"It's tough to get defense better than offense if you are working at the end
points," he said. "So if you think about it as a goal, and you could say, 'what
are the ways you could put out X amount of effort and get 100 or 1000 times X
effort on coming out?' It means you have to really work at scale. A lot of our
cyber policies are not working at scale. We say, 'let's work at DHS and we will
one company at a time,' and that's never going to get to a point where we are
ahead of this."

He said this goes back to the need to turn information sharing on its head and be
led by the private sector so they can bring the scale of their resources to bear.